Zombie attack: coming to a server near you?


Louise Frampton, Editor, Mission Critical Power magazine, discusses the growing threat posed to data centre infrastructure from hackers.

Recent events have highlighted the vulnerabilities of large organisations to cyber crime and the disasterous impact that malware can have on vital operations. This is a wake-up call for all those tasked with ensuring 100% uptime of mission critical services. The WannaCry ransomware attack, which started on 12 May 2017, is the biggest single incident that the UK National Cyber Security Centre (NCSC) has faced. Furthermore, the cyber threat to UK business is significant and growing; in the three months since the NCSC was created, the UK has been hit by 188 high-level attacks, which were serious enough to warrant NCSC involvement, and countless lower level ones.

The NCSC warns that connected devices in areas such as energy (eg smart meters), physical security (eg networked security cameras) and facilities automation (eg connected indoor LED lighting), provide “tangible competitive and business advantage, but the risk of connecting devices may be difficult to assess”.

As a result, it is “likely that there will be an increase in high profile hacking incidents” which impact businesses due to lax security in connected devices. The threat posed by hackers is not just an issue for managers seeking to protect senstive data, or prevent disruption to business systems and IT-related services.

Cyber security expert, Applied Risk, has witnessed a trend where hackers are rapidly shifting their scope of focus. While targets previously included financial services and banks, industrial environments now represent an increasingly lucrative target. However, the threat against industrial environments is not limited to cyber-attackers seeking financial gain. Hackers could also include nation states, state sponsored actors and potentially even competitors seeking an edge.

Data centres also need to address the security risk within. A report by Koomey Analytics and Anthesis warns that ‘zombie’ servers are unlikely to have the latest security patches, which makes them an ‘open door’ to many enterprise data centres. In previous work, authors Jon Taylor and Jonathan Koomey showed that about 30% of the enterprise servers in a five-facility, 4,000-server sample were comatose.

In this follow-up analysis, the authors assessed the percentage of comatose (also known as zombie) servers in a sample taken in 2015, which covered four times as many servers and twice as many facilities. The analysis showed that about one quarter of physical servers were zombies in companies that had taken no action to remove them (which corresponds to the vast majority of companies running enterprise data centres).

In addition, the data shows that about 30% of the virtual machines running on some of the physical servers (known as hypervisors) were also comatose, demonstrating that the same institutional and measurement problems that inhibit discovery and elimination of zombie physical servers also lead to significant numbers of zombie virtual machines.

The authors point out that finding and eliminating comatose servers would save many enterprises money, but more importantly, taking that action would eliminate an unappreciated security risk. Zombie servers are unlikely to have the latest security patches, which makes them an open door to many enterprise data centres. They warn that ‘if the monetary incentives are not enough to ensure prompt action, concern over cyber security really should”.

Other experts have warned that hackers could target SCADA, PLCs, distributed control systems, or other software-based systems within the data centre, to knock-out critical power or cooling infrastructure. According to Dell’s 2015 Annual Security Report, cyber-attacks against SCADA systems doubled in 2014, to more than 160,000.

Outside the facility, stability of the power supply could be compromised. Three Ukrainian energy distribution companies were victim to cyber attack in December 2015, resulting in electricity outages for approximately 225,000 customers across the Ivano-Frankivsk region of Western Ukraine. Attackers gained unauthorised entry into a regional electricity distribution company’s corporate network and ICS, resulting in seven 110 kV and twenty-three 35kV substations being disconnected for three hours.

Governments, utilities, industry and all business sectors will need to be prepared. The reality could be far more scary than the apocalyptic fiction… A zombie attack is coming to a server near you…


Please enter your comment!
Please enter your name here